Right before big longhorn diff
This commit is contained in:
Aner Zakobar
@@ -75,3 +75,7 @@ Email Attribute: mail
|
||||
|
||||
* EVERYTHING
|
||||
https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
|
||||
|
||||
* DRONE AND GITEA
|
||||
?
|
||||
https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l
|
||||
|
||||
@@ -17,3 +17,20 @@ data:
|
||||
{{- $pass := (get $secretData "password") | default "UNDEFINED" -}}
|
||||
{{- $pass | quote -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- /*
|
||||
Returns given number of random Hex characters.
|
||||
- randNumeric 4 | atoi generates a random number in [0, 10^4)
|
||||
This is a range range evenly divisble by 16, but even if off by one,
|
||||
that last partial interval offsetting randomness is only 1 part in 625.
|
||||
- mod N 16 maps to the range 0-15
|
||||
- printf "%x" represents a single number 0-15 as a single hex character
|
||||
*/}}
|
||||
{{- define "randHex" -}}
|
||||
{{- $result := "" }}
|
||||
{{- range $i := until . }}
|
||||
{{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }}
|
||||
{{- $result = print $result $rand_hex_char }}
|
||||
{{- end }}
|
||||
{{- $result }}
|
||||
{{- end }}
|
||||
|
||||
+20
-17
@@ -1,18 +1,25 @@
|
||||
---
|
||||
{{- define "homey.auth.ingress.annotations" }}
|
||||
nginx.ingress.kubernetes.io/auth-url: "https://git.zakobar.com/oauth/authorize"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://git.zakobar.com/login"
|
||||
# nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
|
||||
# nginx.ingress.kubernetes.io/configuration-snippet: |-
|
||||
# proxy_set_header X-Ldap-URL "ldap://openldap";
|
||||
# proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
|
||||
# proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
|
||||
# proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
|
||||
# proxy_set_header X-CookieName "homey.auth.cookie";
|
||||
# proxy_set_header Cookie $cookie_homey.auth.cookie;
|
||||
# proxy_set_header X-Remote-User $remote_user;
|
||||
# proxy_set_header X-Forwarded-Method $request_method;
|
||||
# proxy_set_header X-Ldap-Template "(uid=%(username)s)";
|
||||
# nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80"
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
|
||||
nginx.ingress.kubernetes.io/location-snippets: |-
|
||||
auth_request /auth
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |-
|
||||
location /auth {
|
||||
# proxy_pass http://ldap-auth-internal;
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80;
|
||||
proxy_set_header X-Ldap-URL "ldap://openldap";
|
||||
proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
|
||||
proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
|
||||
proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
|
||||
proxy_set_header X-CookieName "homey.auth.cookie";
|
||||
proxy_set_header Cookie $cookie_homey.auth.cookie;
|
||||
proxy_set_header X-Remote-User $remote_user;
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
proxy_set_header X-Ldap-Template "(uid=%(username)s)";
|
||||
}
|
||||
{{- end }}
|
||||
---
|
||||
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }}
|
||||
@@ -21,10 +28,6 @@
|
||||
# ---
|
||||
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }}
|
||||
---
|
||||
# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-pass") $) }}
|
||||
---
|
||||
# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-db-pass") $) }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
+30
-3
@@ -7,9 +7,35 @@ metadata:
|
||||
"helm.sh/resource-policy": "keep"
|
||||
type: Opaque
|
||||
data:
|
||||
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict }}
|
||||
{{- $secretData := (get $secretObj "data") | default dict }}
|
||||
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
|
||||
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict -}}
|
||||
{{- $secretData := (get $secretObj "data") | default dict -}}
|
||||
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}}
|
||||
password: {{ $pass | quote }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: drone-gitea-oauth2-key
|
||||
annotations:
|
||||
"helm.sh/resource-policy": "keep"
|
||||
type: Opaque
|
||||
data:
|
||||
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "drone-gitea-oauth2-key") | default dict -}}
|
||||
{{- $secretData := (get $secretObj "data") | default dict -}}
|
||||
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}}
|
||||
password: {{ $pass | quote }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: drone-gitea-oauth2-secret
|
||||
annotations:
|
||||
"helm.sh/resource-policy": "keep"
|
||||
type: Opaque
|
||||
data:
|
||||
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "drone-gitea-oauth2-secret") | default dict -}}
|
||||
{{- $secretData := (get $secretObj "data") | default dict -}}
|
||||
{{- $pass := (get $secretData "password") | default (randHex 32 | b64enc) -}}
|
||||
password: {{ $pass | quote }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
@@ -29,6 +55,7 @@ spec:
|
||||
containers:
|
||||
- name: gitea
|
||||
image: gitea/gitea:latest
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
name: http
|
||||
volumeMounts:
|
||||
|
||||
@@ -21,6 +21,7 @@ spec:
|
||||
image: linuxserver/ldap-auth
|
||||
imagePullPolicy: Always
|
||||
---
|
||||
#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
@@ -31,4 +32,39 @@ spec:
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 9000
|
||||
name: ldap-auth-port
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: ldap-auth-internal
|
||||
spec:
|
||||
selector:
|
||||
app: ldap-auth
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8888
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: ldap-auth-ingress
|
||||
annotations:
|
||||
spec:
|
||||
ingressClassName: {{ .Values.homey.ingress_class }}
|
||||
tls:
|
||||
- hosts:
|
||||
- auth.{{ .Values.homey.url }}
|
||||
secretName: {{ .Values.homey.certname }}
|
||||
rules:
|
||||
- host: auth.{{ .Values.homey.url }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: ldap-auth
|
||||
port:
|
||||
number: 80
|
||||
---
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ kind: Ingress
|
||||
metadata:
|
||||
name: phpldapadmin
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
|
||||
{{ template "homey.auth.ingress.annotations" $ }}
|
||||
spec:
|
||||
ingressClassName: {{ .Values.homey.ingress_class }}
|
||||
tls:
|
||||
|
||||
Reference in New Issue
Block a user